Routeco cyber security and secure remote access 1 01

IACS Network Security & Secure RemoteAccess
Guy Denis gudenis@cisco.com
Rockwell Automation Alliance Manager Europe
www.cisco.com/go/security
11th Feb 2014

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
On Average, there is a ratio of 15:1 Industrial
Devices to Enterprise within a manufacturing plant
Industrial Devices
Meter
Sensor
Machines Vehicles Robots
HMII/O
Controller/PLC
Scanner Phone RFID Tag
Enterprise Devices
IP Phone PC Printers Servers
“As manufacturers replace legacy network systems and look for
areas to streamline on a common solution, ARC sees a tremendous
opportunity for growth of EtherNet/IP applications,” according to
Craig Resnick, Research Director, ARC Advisory Group
1
15

TheftUnintended employee
action
Natural or manmade disaster
Unauthorized
contractor actions
Security patches
Worms, viruses, malware
Denial of serviceSabotage
Unauthorized access
Unauthorized employee
action
Potential Disruptions

Stuxnet – a wake up call…. breakdown of
Stuxnet
http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html
Ralph Langner
German Control systems security
consultant
F-Secure wrap-up on Stuxnet
http://www.youtube.com/watch?v=gFzadFI7sco

• Fragile TCP/IP Stacks – NMAP, Ping Sweep lockup
• Little or no device level authentication
• Poor network design – hubs, unmanaged switches
• Windows based IA servers – patching, legacy OS
• Unnecessary services running – FTP, HTTP
• Open environment, no port security, no physical security of switch, Ethernet
ports
• Limited auditing and monitoring of access to IA devices
• Unauthorised use of HMI, IA systems for browsing, music/movie downloads
• Lack of IT expertise in IA networks, many blind spots

Real–Time Control
Fast Convergence
Traffic Segmentation and
Management
Ease of Use
Site Operations and Control
Multi-Service Networks
Network and Security
Management
Routing
Application and Data share
Access Control
Threat Protection
Gbps Link for
Failover Detection
Firewall
(Active)
Firewall
(Standby)
SCADA Application
and Services Servers
Cisco
ASA 5500
Cisco
Catalyst
Switch
Network Services
Cisco Catalyst
6500/4500
Cisco Cat. 3750X
StackWise
Switch Stack
Patch Management, Terminal
Services, Application Mirrors,
AV Servers
Cell/Area #1
(Redundant Star
Topology)
Drive
Controller
HMI Distributed
I/O
Controller
DriveDrive
HMI
Distributed I/O
HMI
Cell/Area #2
(Ring Topology)
Cell/Area #3
(Linear Topology)
IE3000/3010/2000
Layer 2 Access Switch
Controller
Enterprise/IT Integration
Collaboration
Wireless
Application Optimization
Cell/Area Zone
Levels 0–2
Layer 2 Access
Manufacturing Zone
Level 3
Distribution and Core
Demilitarized Zone
(DMZ) Firewalls
Enterprise Network
Levels 4–5
Web Apps DNS FTP
Internet

• Physical Security – limit physical access to authorized
personnel: areas, control panels, devices, cabling, and
control room – escort and track visitors
• Network Hardening – infrastructure framework – e.g.
firewalls with intrusion detection and intrusion prevention
systems (IDS/IPS), and integrated protection of networking
equipment such as switches and routers
• End-point Hardening – patch management, antivirus
software as well as removal of unused applications,
protocols, and services
• Application Security – authentication, authorization, and
audit software
• Device Hardening – change management and restrictive
access
Defense
in Depth
Computer
Device
Physical
Network
Application

• Security is not a bolt-on
component
• Comprehensive Network
Security Model for
Defense-in-Depth
• Industrial Security Policy
• DMZ Implementation
• Design Remote Partner Access
Policy, with robust & secure
implementation

Secure NetworkArchitectures for
Industrial Control Systems

Panduit/RA Physical Layer Reference Architectures Design Guide
PSL-DCPL
PSL-DCJB

• All network traffic from either side of the DMZ terminates in the DMZ;
network traffic does not directly traverse the DMZ
• Application Data Mirror
• No primary services are permanently
housed in the DMZ
• DMZ shall not permanently
house data
• No control traffic into the DMZ
• Be prepared to “turn-off” access
via the firewall
No Direct
Traffic
Enterprise
Security
Zone
Industrial
Security
Zone
Disconnect Point
Disconnect Point
DMZReplicated
Services

Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Terminal
Services
Patch
Management
AV
Server
Application
Mirror
Web Services
Operations
Application
Server
Enterprise Network
Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.
SCADA
App
Server
SCADA
Directory
Engineering
Workstation
Domain
Controller
SCADA
Client
Operator
Interface
SCADA
Client
Engineerin
g
Workstatio
n
Operato
r
Interfac
e
Batch
Control
Discrete
Control
Drive
Control
Continuou
s
Process
Control
Safety
Control
Sensors Drives Actuators Robots
Enterprise
Zone
DMZ
Process
Control
Domain
Process
Control
Network
Web
E-Mail
CIP
Firewal
l
Firewall
Site Manufacturing Operations and
Control
Area Supervisory
Control
Basic Control
Process
PurdueReferenceModel,ISA-95
IndustrialSecurityStandardISA-99

1.Firewall Services (Segmentation, Isolation)
2.Application Services (Behavior Enforcement, Application
Intelligence and Awareness, Gateway Capabilities)
3.Logging and Historical Services (Traffic, Event histories)
4.Encryption and Data Integrity Services (remote access, and
secure channels for data transfer)
5.IPS/IDS Services (deep packet inspection – Sourcefire and
Wurldtech Industrial Signatures
1.Malware Detection and Filtering (deep packet and URL
inspection

VPN
VDI
WSA
IPS
ASA-CX
ASA
ISE
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Level
3½
Enterprise Zone
DMZ
PCD /
Manufacturing Zone
PCN /
Cell / Area Zone
1783-SR

Use Stratix 5900 (1783-SR)
NOT this (or similar such item)

DefenseinDepth
Securitytechnologiesapplied
Authentication, Authorization and Accounting
Access Control Lists (ACLs)
Secure Browsing (HTTPS)
Intrusion Protection and Detection
Remote Terminal Session
Application Security
VLANs
Remote Engineers and Partners
Plant Floor Applications and Data

WAN
Plant Engineer
Skid Builder
System Integrator
Remote Site
WAN
Router
Plant Site
WAN
Router
• Stand-alone Remote Industrial Application
Example: remote site
Requirements
Connection out from the Plant, direct access
Little to no IT support, little to no alignment with Industrial Automation and Control System security
standards
Potential Solution
IPSecVPN, DMVPN,FlexVPN – ASA5515 and/or STX5900
1783-SR/819
ISR
IPSec
X many

Cell/Area Zone #3 Cell/Area Zone #4
FactoryTalk
Applications
and Services Ring Topology
Cell/Area Zone #1 Cell/Area Zone #2
Manufacturing Zone
8000 Managed
Layer 2 Switch
ETAP - Embedded
Layer 2 Switch
Ring Topology
Enterprise Zone Enterprise
Network
5700 Managed
Layer 2 Switch
Star Topology
Embedded Layer 2
Switch Linear
Topology
Mobile User
Lightweight AP
(LWAP)
AP as Workgroup
Bridge (WGB)
ERP, Email, Wide Area
Network (WAN)
5100
802.11n – Dual Band
Access point
8300 Managed
Layer 3 Switch
5900 Industrial
Services Router

Levels 0–2
Cell/Area Zones
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Enterprise Zone
Levels 4 and 5
Manufacturing Zone
Site Manufacturing
Operations and Control
Level 3
Internet
Enterprise Zone
Levels 4 and 5
Enterprise
WAN
Enterprise
Data Center
Gbps Link Failover
Detection
Firewall
(Active)
Firewall
(Standby)
Patch Management
Terminal Services
Application Mirror
AV Server
Cisco
ASA 5500
Remote Access Server
• RSLogix 5000
• FactoryTalk View Studio
Catalyst
6500/4500
Remote Engineer
or Partner
Enterprise
Connected
Engineer
Enterprise Edge
Firewall
HTTPS
Cisco VPN Client
Remote Desktop
Protocol (RDP)
Catalyst 3750
StackWise
Switch Stack
EtherNet/IP
IPSECVPN
SSLVPN
FactoryTalk Application Servers
• View
• Historian
• AssetCentre
• Transaction Manager
FactoryTalk Services
Platform
• Directory
• Security/Audit
Data Servers
1. Remote engineer or partner
establishes VPN to corporate
network; access is restricted to
IP address of plant DMZ firewall
2. Portal on plant firewall enables
access to IACS data, files and
applications
– Intrusion protection system (IPS) on
plant firewall detects and protects
against attacks from remote host
3. Firewall proxies a client session
to remote
access server
4. Access to applications on
remote access server is
restricted to specified plant floor
IACS resources through IACS
application security

1. Identify all connections to SCADA networks
2. Disconnect unnecessary connections to the SCADA network
3. Evaluate and strengthen the security of any remaining connections to the SCADA network
4. Harden SCADA networks by removing or disabling unnecessary services
5. Do not rely on proprietary protocols to protect your system
6. Implement the security features provided by device and system vendors
7. Establish strong controls over any medium that is used as a backdoor into the SCADA network
8. Implement internal and external intrusion detection systems and establish 24-hour-a-day
incident monitoring
9. Perform technical audits of SCADA devices and networks, and any other connected
networks, to identify security concerns
10. Conduct physical security surveys and assess all remote sites connected to the
SCADA network to evaluate their security
11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios
12. Clearly define cyber security roles, responsibilities, and authorities for managers,
system administrators, and users
13. Document network architecture and identify systems that serve critical functions
or contain sensitive information that require additional levels of protection
14. Establish a rigorous, ongoing risk management process
15. Establish a network protection strategy based on the principle of defense-in-depth
16. Clearly identify cyber security requirements
17. Establish effective configuration management processes
18. Conduct routine self-assessments
19. Establish system backups and disaster recovery plans
20. Senior organizational leadership should establish expectations for cyber security
performance and hold individuals accountable for their performance
21. Establish policies and conduct training to minimize the likelihood that organizational
personnel will inadvertently disclose sensitive information regarding SCADA system
design, operations, or security controls
21 Steps to securing a SCADA network
http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf

Routeco cyber security and secure remote access 1 01

Routeco cyber security and secure remote access 1 01

More Related Content

What's hot (20)

Viewers also liked (8)

Similar to Routeco cyber security and secure remote access 1 01 (20)

More from RoutecoMarketing (6)

Recently uploaded (20)

Routeco cyber security and secure remote access 1 01